Aren't the regulations the problem here? If not for that nobody would be getting pressured to divulge this personal information to every shady app and website in the first place.

Suppose I want to make a service that verifies your age by asking you questions about what life was like before 9/11. Can I do that? And if I can't, is the problem the standards, or the law?

If we're admitting solutions that aren't 100% effective, why can't we admit solutions that aren't 100% effective but are much better at preserving privacy?

How is this improving? It's the most invasive proposal yet, serves to prohibit devices that are controlled by their owners and still doesn't actually work because a) there are still a zillion devices with security vulnerabilities and b) none of this applies to websites hosted in other jurisdictions, so you're not actually limiting the access of minors to anything, you're only inconveniencing anyone who does have servers in the US or interacts with any that are. Which is an extremely large number of people to trouble for a benefit that rounds to zero.

> Surely we shouldn’t give up and regulate nothing...

When we're in the category of speech, let's go with this option all the way to the wall.

I think a lot of us are wary of a world where we have limited selections of software stacks that we can run and do essential things. At some point, we don't own the devices anymore.

I like that Apple is a benevolent overlord, for now.

But I like to be able to run software that I control and participate in the world, and that has alternated between being somewhat harder and prohibitively so. Lockdown of devices (chain of trust, mandatory signed binaries, limitations of device drivers, bootloaders that won’t unlock) makes it increasingly difficult to experiment, repair, or even trust the tools we rely on, and is viewed as a prerequisite for many of these solutions.

--

(I appreciate the alternatives are really hard, and that there are substantial potential downsides creating pressure towards these types of solutions, above and beyond the desires to lock down marketplaces and capture rents).

I don’t see digital identity documents as a threat, though. It’s mostly orthogonal to software provenance, device ownership, secure boot, etc.

PS: we already live in a world where by and large all the software you use is only licensed to you individually. It’s crap. If digital identity makes this more plainly obvious then good. We need fuel to fight unethically and impractically licensed software.

This is true even if the protocols themselves protect privacy well, use zero knowledge proofs, etc… if Google can vacuum it all up from the device representing me, all the privacy-centric design makes no difference.

Biometric data isn't cryptographic in nature. Once you've recorded someone's fingerprint -- which any device using it for authentication would have to do and have the hardware to do -- you can then replay it to any service using the same data for authentication. You don't even have to lift them off of any of the objects people leave them on just by existing, which is also a way to get them. And once someone has them, you can't change it.

Which means the only way to use biometrics to gate this sort of thing is for everyone to be locked out of their own devices (or unable to use devices they're not locked out of), or they could use the device they control to play back the biometric data to whatever external service is nominally authenticating it.

> Which zillion vulnerabilities in the TPM are you referring to?

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=TPM

And those are only the ones specific to a TPM, not any of the ones that impact privileged code the TPM is attesting to the security of.

Notice also that this doesn't require every device to be vulnerable, it only requires any device to be vulnerable. Cheap devices are more likely to be vulnerable and then anyone who wants to bypass anything can get one of those.

This is one of the reasons these systems are so nefarious. You get an iPhone for unrelated reasons and it may not have any current known vulnerabilities, so you are locked out of your own device. Meanwhile some $50 Android or old netbook does have a vulnerability which any kid can get if they want to view age-gated sites, or people set up services to do it over the internet -- and then those services become attack vectors because kids start plugging their parents' IDs and fingerprints into shady bypass services.

The biometric data doesn't leave the device in any of these protocols. Keybinding to TPM keys and Wallet provenance is used. I’m not sure you really understand how this works it sounds more like you have a basic FUD imagining a world where instead of literally uploading a photo of your drivers license you present a digitally signed certificate with the same info. I can’t really argue with FUD other than encouraging you to onboard an mDL version of your government ID and to try using it the next time you fly, provided you live somewhere where this technology has been made available. It’s demonstrably better and you can experience it or talk to someone who has today.

For example, I was involved in a project several years ago on this where this was explored before the big vendors became players. The issue we were studying was abuse of credentials in-person - many bars will capture people’s identity information when validating IDs.

The ability to provide only the attribute securely is awesome, but of course the systematic abuse of this technology by the reactionaries among us will drive adoption.

a) you are still legally required to age verify online alcohol purchases but

b) it’s illegal to use information collected for that purpose for other purposes and

c) Which information is collected is made legible by the user agents

Maybe something around only collecting minimal data, too.

Some of the first eager customers are banks with onerous KYC requirements – they want one click account creation! Good luck changing financial disclosure laws, though, my bank knows quite a bit about me.

If the people writing the law cared about privacy they wouldn't have passed that one, and anybody who does would be repealing it rather than trying to find the best shade of lipstick for the pig.

> Which information is collected is made legible by the user agents

This is the part you don't need a law in order to do because the user can choose their user agent. Or if they can't, you should stop talking about any of this and go fix your antitrust problem.

> you are still legally required to age verify online alcohol purchases but

By conceding this you've already lost, because:

> it’s illegal to use information collected for that purpose for other purposes

This is the part which is hopeless. If they have the information, you're already screwed, because once they have it it's almost impossible for you or the government to know what they're doing with it, which makes those laws nearly impossible to enforce. And on top of that, a large part of the problem is what criminals or governments do once there is a legally-mandated database of all of that stuff, and those entities aren't constrained by laws.

Which is why anybody who really cares about this knows that the only solution is to not have the law requires that data to be collected.

> Good luck changing financial disclosure laws, though

"Slippery slope is a fallacy", they said. "It's just one inch", they said.

I don’t see my primary care doctor selling my health data, due in part to data privacy laws like HIPAA. Consumer companies take COPPA seriously.

You absolutely cannot control what companies do with data, so you want to prevent its collection in the first place – but you can penalize them when they do something wrong, which does influence their beyavior. The jury is still out on the effectiveness of the GDPR, but to say it had no effect would be an odd claim.

Without overstretching the metaphor, it is quite revealing - you wouldn't see your primary care doctor selling that information whether they are or aren't. You don't have an effective way of monitoring the situation. Nobody outside the hypothetical transaction does.

It is common for that sort of situation to go bad if the economics of selling the data make sense despite the risk of getting caught.

It is revealing: I went to same PCP for the first 18 years of my life and he was incredible as a doctor. He ran his own practice. He was also a great IT admin: he managed his own records, paid to digitize all of them including mine. If he betrayed that trust I’d be sad.

But I hear you. A product just needs to come along that provides some benefit, or the practice could be acquired, etc

The healthcare provider uses an EHR. They might have some managed service provider managing their IT assets and their EHR deployment. Two companies they have BAAs with. That EHR company could be cloud hosted, another BAA. They probably rely on other tools and contractors which might have BAAs. Later on when they go to bill they exchange that billing data through billing analysis tools (another BAA) and then submit to a clearing house (another BAA). All of those companies probably have companies they work with that potentially need BAAs as well, if they work directly with that PHI data in the role of working on behalf of that healthcare provider.

One trip to the doctor could potentially involve dozens of companies you've never heard of that might have a business use case to handle your healthcare data in some way or fashion and none of them actually sold that data or mishandled it under HIPAA.

I'm glad I didn't get a diagnosis and treatment for ADHD, ADD, or autism.

The enemy is also government, especially with RFK's anti-autism trend, along with trawling through all medical records with those diagnoses.

Insurance companies are laughing all the way to the bank.

I'm not going to do the legwork for you, but you should be looking around for the way Google is transferring the medical information on 50 million Americans as part of Project Nightingale a few years back, and you should be looking very seriously at medical sites that use Google Analytics in direct violation of HIPAA. The situation here is very much like the situation with the government collecting detailed profiles on every citizen and knowing their location in real time: they're not supposed to be doing it, but the reality is they can and they do.

Snowden's leaks were another great example about how the law doesn't actually matter, if you can't see whether or not it's being enforced.

My point here is if you're counting on the system to protect you, you're going to be disappointed.

Recent example was that I was supposed to give up my ID because I lost my 2FA for a particular site and I refused because I didn't believe they would delete my ID. My friends said that I was paranoid.

https://www.404media.co/id-verification-service-for-tiktok-u...

Oh, you sweet summer child. Bless your little heart. You're right. Doctors don't. Insurance companies do! And that data is passed around like hotcakes to make actuarial datasets which basically have the effect of ensuring premium go up! Several states, in fact, have done everything they can lobbying wise to make sure it remains okay to trade in your personal health data! Also, from personal experience at a PBM, it is at least an offering to get covered populational reports on spend done on behalf of your covered group, meaning employers are given a view of the overall health of their workforce and what that translates to in dollars out the door on their behalf. Information that, of course, would never be used to do strategic layoffs or cross correlation with time taken off to further optimize for cost reduction right?

(Note: if I've had this idea, and rejected it on moral/ethical/legal grounds, there are absolutely people who have had it and hasn't done so).

Most of the important regulations around these things have nothing to do with the topic at hand. Requiring bourbon not to contain methanol and adult performers to be tested for STDs aren't related to the internet.

And once we're talking about the internet, those things are in a different category because alcohol and cigarettes are physical objects. You can't download vodka from Russia.

Whereas if you want to stop kids from downloading porn from other parts of the world, the police state that would require is the thing wars have been fought against and righteously so. Not because of the porn but because of what it would take to actually make those laws effective, and what it would be used for as soon as it's in place.

But ineffective laws aren't worth having, because they're all costs with no benefits, not least because then people will keep trying to make them effective and the only means to do that is the police state.

> Society has grown up and we’re not comfortable giving the internet a pass because digital identity is hard.

I feel like this kind of language is designed to make people angry. As if you're not an adult if you can look at a trade off against privacy and free speech and say "that's not worth having" instead of implementing every creeping authoritarian proposal specifically because the last one didn't solve the problem.

We've been living in exactly that world for decades without issue.

It makes perfect sense for meat space to be treated differently from the internet. A downloaded picture of a cigarette can't be smoked. The only thing that can happen on the internet is the exchange of data, and an ID requirement for that is absurd.

> there are much more “legitimate” use cases for ID verification that happen entirely online with no meatspace concerns like banking and underwriting etc. so it’s somewhat a straw man to get hung up on porn

Amazing how those use cases have survived for these decades without such a law. If I don't need to send a copy of my ID every time I sign into my bank account, what possible argument could be made for the requirement I do so to watch porn?

> Whether the restrictions are justified or not or stupid or not, we’ve decided they should exist

No, we have not collectively decided they should exist. Plenty of laws exist which are unpopular either because of the goal or the execution. Even if a law has majority support, that doesn't mean the minority can't argue against keeping or expanding it. A restriction being unjustified or stupid is a very good argument for not doing additional unjustified or stupid things to enforce that law. It's rather silly that there is a federal law forbidding leaving the country with more than $25 in nickels but it's on the books. Ensuring this law is thoroughly enforced with universal mandatory cavity searches looking for rolls of nickels would be indefensible.

The hacked up solutions for the things existing “perfectly fine” over the last few decades are complete crap. Anybody who’s ever had to take photos of their ID then a confirmation selfie knows this. Anybody who’s had to apply for a loan or open a bank account online knows this. We have wonderfully secure cryptography and you’re arguing we should keep using plastic cards that you can’t even sha256sum.

Yes there is and we all grew up in that world.

Not everything needs or should have strong ID. But no I don’t want my children stumbling into a porn site because they got click jacked by unscrupulous advertisements they never consented to being solicited with. I don’t want them learning about the world that way. A simple age check without revealing any personal info supported by the digital credential standards being discussed here would absolutely be an improvement.

Having my age checked at the time of purchase for alcohol rather than having to present my ID to the delivery person would also be an improvement.

I'm not comfortable giving society digital identity, because being a human and not abusing the primitive is even harder still. And we can't take it back once we've built it. It's just there for every wannabe despot to start building systems of oppression with. And there's an awful lot of them running around with the "best of intentions" to line the way to hell.

Showing your driver's license to the store clerk didn't used to mean the store kept a copy.

I generally agree with your points, but I wouldn't trust Apple, or any publicly traded company, to have any kind of ethics. Just because their incentive to make as much profit as possible, leads to them trying to differentiate themselves from other companies, and thus they choose to temporarily align with privacy concerns doesn't mean they will not compromise on them, if they see better profits elsewhere.

I rather have privacy enforcing regulations like the GDPR or policies that go even further, than relying on publicly traded companies to protect their users.